Nueces County officials are still working to recover hundreds of thousands of dollars lost in an email phishing scam that recently attacked the county courthouse, resulting in a loss of about $2 million, they said in a news conference on Sept. 8.
County officials became aware of the cybersecurity attack about two weeks ago after a fraudulent email caused a single check to be transferred from a county department to a bank, Nueces County interim Auditor Constance Sanchez told reporters.
The office is aware of five instances of the attacks, three of which resulted in the loss of funds, she said.
The first instance resulted in a loss of $56,850 — an amount that has been recovered, Sanchez said.
The other two instances involved larger transactions for $999,214.12 and $937,777.10, she said.
With the assistance of the county’s depository, Frost Bank, the $999,000 transaction will be recovered, she said.
The second transaction is still being investigated, Sanchez said.
County officials have been told they could recover the funds from the second incident, but they do not know the exact dollar amount, she said.
The bank has also informed the county that it could take as many as 120 days to recoup the funds into the county coffers, she said.
Sanchez reemphasized that the county auditor’s office is taking additional security measures to ensure electronic payments are not misdirected.
All wire transfers have been stopped to avoid future potential fraud, and all future payments to the county would be made on paper until further notice, except for payroll, she said.
“We had a check run last week and will continue to issue paper checks until the investigation is completed,” Sanchez said. “We have also contacted all of our vendors and suppliers who requested a payment type change during this last fiscal year.
“As a result of the calls, we were able to stop another fraudulent transaction from occurring,” she said.
The department has updated procedures and reviewed them with staff, she said.
“Going forward, any future changes in payment type method by any vendor or supplier will require in-person contact for authentication,” she said.
The phishing attack involved a scheme known as business email compromise, in which a fraudulent party impersonated a real vendor to reroute payments from the county to a fraudulent bank account.
At least one county employee clicked on a fraudulent email that initiated a transfer of funds into the account.
County employees are required to take cybersecurity training every year, said Nueces County Sheriff J.C. Hooper.
However, Sanchez said that although safeguards are in place, there was no written policy in place to pursue disciplinary action, which has since been corrected.
She said county officials have determined that the first known instance happened in July.
Residents can report suspected fraud by calling 1-800-CALL-FBI or 1-800-225-5324.
(This story was updated to add a video.)
MORE LOCAL NEWS
This article originally appeared on Corpus Christi Caller Times: Nueces County officials working to recover money lost in $2 million email scam
Reporting by Katie Nickas, Corpus Christi Caller Times / Corpus Christi Caller Times
USA TODAY Network via Reuters Connect
